Information Security Survey - Deloitte

[Pages:25]Central Asian Information Security Survey Results (2014)

Insight into the information security maturity of organisations, with a focus on cyber security

Introduction and Executive summary

From September to November 2014 Deloitte performed its first "information security survey" in Central Asia to better understand the current state of information security programmes and governance structures at organisations in the region. The survey covers various industries and addresses how organisations view, formulate, implement and maintain their information security programmes.

The 39 survey questions covered the following areas:

1. organisational information

2. information security attacks and threats

3. information security data and technologies and

4. monitoring and reaction to identified security threats

The survey focused on cyber security risks and to that end we approached approximately 100 companies to fill in the online survey questionnaire.

We stipulate that we present the survey results without making a distinction by industry or organisation size and that the results are `anonymous' to avoid making reference to individual organisations.

We would like to thank those organisations that participated in the survey for their cooperation. We would like to encourage other companies to participate in the next Deloitte "information security survey".

Executive summary

The survey identified the five most relevant conclusions on the current state of information security programmes (cyber security) in Central Asia, as follows:

1. Majority of companies have not been exposed to cybersecurity incidents.

2. Information security policies, procedures and responsibilities are mostly in place and defined.

3. Insufficient controls to ensure third parties, (i.e. vendors / partners), comply with appropriate security standards.

4. Awareness of business (senior) management and end-user around cybersecurity risks is insufficient.

5. Though basic security measures are in place, more advanced solutions are uncommon.

Later in this report we provide more detailed insight on survey findings.

? 2015 Deloitte LLP

2

Comparing global trends with the information security status in Central Asia

The number of information security incidents has been increasing globally, ranging from passive monitoring of communications to close-in attacks.

Undoubtedly, the recent Sony Pictures cyber attack, which involved hackers accessing some of the corporation's most confidential data, has garnered a lot of media attention, as did a massive data breach at JPMorgan Chase & Co. that ended up in 76 million records being stolen. Another example relates to the company "Home Depot" where credit card details of 56 million customers where syphoned, using Malware installed on cash register system.

Central Asia has also seen a number of security incidents making it to the news, However compared to other regions, the number of attacks appears to be limited and for the ones that have been reported, little information is available on the actual impact. According to the responses in this survey, approximately 65% of respondents have not experienced cyber attacks directed at their organisation (see question 1).

Although the number of publicly known cyber attacks appears to be small, this does not mean that organisations in the region are immune, and could ever be existing under a false sense of security. Given global trends and the increased number of attacks and attention given to cyber security, it could very well be that Central Asia may become the next target for hackers in the near future. When - not if - this happens, organisations need to be prepared.

Question 1: Have you suffered a breach in the last 12 months (multiple answers possible)?

Information not available Others

Weaknesses higlighted during testing Lost assets (lost/stolen laptops or memory

cards) Malware

Hacker attacks Virus attacks

We were not exposed to hacking 0% 10% 20% 30% 40% 50% 60% 70%

The majority of companies have not been exposed to cybersecurity incidents. However, evidence is insufficient as to whether this is reality or merely perception.

? 2015 Deloitte LLP

3

Profile of Central Asian Information Security survey respondents

? 2015 Deloitte LLP

4

Profile of Central Asian Information Security survey respondents (1/2)

Unsurprisingly, 65% of the respondents are in the Telecommunications and Finance industry (see question 2), which is not surprising as they are the industries most prone to cyber attacks.

Question 2: Which industry is your organisation in?

22%

14% 7% 14%

43%

Finance Mining Retail trade (retail) Manufacturing Telecommunications Technology Energy Transport and Logistics Others

In the meantime, governments have started to pay increased attention to the security of their strategic activities and assets (such as refineries and power stations) to protect critical IT-infrastructure - so called SCADA systems - from unauthorised access. For that reason, the expectation is that senior management in the resources industry (oil, gas, energy and utilities) should also be focusing on information security.

The majority of respondents (58%) employ more than 10 people in their ITDepartments. However, the survey also includes smaller IT-departments as show in question 3 below.

Question 3: How many people does your IT-department employ?

36%

14% 14%

22%

14%

1-2 3-5 6-10 11-15 >15

? 2015 Deloitte LLP

5

Profile of Central Asian Information Security survey respondents (2/2)

When asked about IT-governance standards (see question 4), the majority of organisations referred to internal (head office) policies (65%) and regulatory requirements (50%) rather than international standards such as COBIT or ITIL.

Question 4: Does your organisation adhere to IT process or security frameworks and/or standards, and if so, which ones (multiple answers possible)?

Others Yes, ISO / IEC 27000

Yes, COBIT Yes, ITIL

Yes, regulatory standards Yes, parent organisation standards

No 0% 10% 20% 30% 40% 50% 60% 70%

? 2015 Deloitte LLP

6

Corporate information security maturity in Central Asia

? 2015 Deloitte LLP

7

Corporate information security maturity in Central Asia (1/4)

A number of survey questions refer to information security maturity with respect to the following topics: (1) respondents' perception of their network security, (2) the existence of policies, (3) the extent to which responsibilities around information security are defined, (4) current maturity levels and (5) the key challenges to improving corporate information security.

64% of respondents consider their organisation has sufficient security policies and procedures in place (see question 5) and, interestingly, the number of respondents citing weak or insufficient security policies and procedures was zero.

Question 5: How secure do you think your organisation's network is?

7% 29%

64%

Sufficiently secure Secure to a certain extent Information not available Not secure Highly secure

? 2015 Deloitte LLP

Most respondents have information security policies and procedures in place (or will introduce them in the near future), with responsibilities for information security defined.

It appears that the majority of respondents have policies and procedures in place; mostly related to (1) IT-security strategy and (2) business continuity plans (see question 6). However, only a limited number of respondents indicated that they had developed a response plan for cyber security incidents.

Question 6: Which of the following (policies / procedures) has your organisation documented and approved (multiple answers possible)?

None of the below

Cyber incident response plans

Information security roadmap

Business continuity plans Not developed but due to be developed

over the next 12 months Information security governance structure

Information security strategy

0% 10% 20% 30% 40% 50% 60%

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download